BleepingComputer reports that GitHub Desktop, GitHub CLI/Codespaces, Git Credential Manager, and Git LFS could have their access tokens and credentials exfiltrated in any of the three Clone2Leak attack types, which involve the abuse of the authentication request management of Git and its credential helpers.
All of the now-patched vulnerabilities stem from credential helpers' inadequate authentication request parsing, with exploitation of the carriage return smuggling issues in GitHub Desktop and Git Credential Manager, tracked as CVE-2025-23040 and CVE-2024-50338, and the Git LFS newline injection bug, tracked as CVE-2024-53263, facilitating GitHub credential delivery to attackers' server, according to a report from GMO Flatt Security researcher RyotaK. Attackers could also leverage a credential retrieval logic flaw in GitHub CLI and GitHub Codespaces, tracked as CVE-2024-53858, to allow malicious repository cloning and authentication token compromise. Organizations have been urged to not only upgrade to the latest iterations of impacted Git software but also activate Git's 'credential.protectProtocol' to combat credential smuggling.